Personal vs. Corporate security and privacy.

[paulca]

I am working with a company who use an end point security gizmo which basically proxies and firewalls all traffic, routing internal stuff based on auth and the controversial part, man in the middle attacking all HTTPS traffic with fake CA certs.

For example.  If you open google.com and search for something, you see the padlock and the browser reports this as a "Your connection is secure."

The hell it is!  If you actually look at the certificate it's signed by some random, self generated CA cert.  Applications with their own HTTPS clients like IDEs and Java apps have to have this fake CA cert injected.

So this end point decrypts your traffic using a man in the middle attack, analyses or does whatever it chooses with it.... then re-encrypts it and forwards back and forth.

There are several legal aspects to this which could get fairly snarly.  However the general premise is... it's their equipment and their network, they get to do whatever they want with it.  That includes spying on traffic.

My heckles raised I immediately tried a few URLs and was at least somewhat pleasantly surprised when it did NOT in fact man in the middle attack my online banking or a few other financial and privacy critical sites.  However... without an awareness of IT and HTTPS security the user sitting at the laptop has no idea they are being spied on or not.

The legal/civil issues arising from this are not in my opinion fully explored in law yet.  Certainly the cross-atlantic nature of the spying has no current legal framework protecting me.  GDPR and in fact any UK based data transferred to/from the states has no legal framework in place to protect it, it's "voluntary" only.  If a company sells my data in violation to GDPR or they refuse a subject access request to my data under GDPR and they refuse, I have no legal pathway left.  (as of the current legal framework with the EU expiring and the UK failing to renew/negotiate any such framework.

HTTPS and SSL provide more than just "encryption".  They provide identification.  If I was to take a legally binding action on a website, technically this man in the middle attack means the traffic can be modified/tainted by a 3rd party (an entity in the middle of which I have no control or visibility).  This means that website sees this software endpoint's fabricated request as mine and I see this end points fabricated response as being from the actual website... when it isn't.

I'm fairly sure that has many legal snakes and dragons to emerge.

In general however, I am getting more and more and more annoyed with the disparity between corporate privacy and security versus that of employees.  More in essence, the amount of training and lectures we need to endure on data security for the corporation and it's customers, is completely distinct from the way the company treats employee data.

An example:  Not 3 minutes after I got an automated warning for clicking on email which was 'verified sender by office365 as internal' AND containing all correct signatures etc, linking to a "Dress code policy" which turned out to be a phishing test email...  I got an email from management with a link to a 3rd party survey site asking me highly personal information about my sexual behaviour and personal identity.  They claimed boldly that "all responses are anonymous", but then proceeded to state the links were individual and not to share the links.  I seen RED!

I tracked the URL back through the "Safe URL" encoding site to the survey provider and to their parent company.  I did a quick background check on this and found them to be a massive marketing and data agency.  Their terms and conditions and privacy policy made absolutely ZERO stipulation of anonymity, nowhere.

I raised it as a red flag on company channels.  What happened?

I got a "it's fine, we checked it for GDPR compliance, the company do not see the individuals name or email.  Just they department, location, email, role".

"No.  It's NOT fine.  You gave that uniquely identifiable information, which if you put into google will have me as the FIRST hit, to a third party without my consent."

I didn't send it.  They will claim "legitimate use for conducting business", placing their business use case above and beyond my personal privacy.

The nature of the information is the tip of the iceberg.  I am actively being discriminated for being a white male.  I cannot, however, complain.  Any attempt to do some without anonymity would be career suicide.  This is basically the definition of discimnatory oppression but ... I will just need to buy my time, nothing is anonymous, there are no anonymous channels to start making noise on.

The privacy policy of that survey provider even went as far as stating answers to security questions were used for marketing purposes and may be distributed to their partners of course.

[Karel]

If you are using your own computer, use Firefox which uses it's own certificates and will never accept a connection to, for example, google.com with some fake certificate.
Ofcourse, it could be that by doing so, you'll be blocked by the corporate firewall.
The only solution for that is to use the personal hotspot of your smartphone and simply use your own internet connection.

[madires]

Sounds like a lovely place to work at. Unfortunately many companies peform such a hypocritical privacy and secuity soap opera without understanding what they are actually doing. It's mostly about ticking boxes on a cover-your-ass compliance list. However, HTTPS MITM middleboxes might be required by regulations (corporate form, industry).

[paulca]

Luckily I work from home, so not only is the corp laptops on their own layer 2 network vlan, but I have my own PC for browsing.

On industry and compliance.  Yes, financial sector, banks, brokerages, stock exchanges.  So compliance out the wazzo.

I thin they should at least make it much clearer that internet traffic is insecure (to the individual) on company hardware.

I did also mention to them how, once you have that certificate, it can be quite trival to fake other websites on the inside of the network.

I believe this whole thing happened to HP or Lenovo.  Can't remember which, but it shipped with a self signing CA Cert for it's "Web security endpoint" they shipped the laptops with.  Unfortunately, people then used that certificate to sign millions of other fake certs and other sub CA certs and eventually it started to propagate into the real SSL trust structures.  This was back in maybe 2017, but ended up with the top tier certificates having to be reissued from Google, Verisign and others world wide, to purge the broken trust link out of the system entirely.  Of course while all this was happening people with those laptops were wide open to all the  fake scam websites impersonating legit ones with certs signed by it.

[ve7xen]

I agree this is ethically questionable, but it is considered a 'best practice' in many corporate spheres in America. They're careful to try and avoid MITMing 'protected' personal information like bank accounts and health information, but this is really just to cover their ass. The places I have seen that do this have always been quite clear about it during orientation, and usually provide a guest network / public kiosk machines that are snooping-free for employee's personal use. At least in Canada, they're legally required to make the situation very clear to employees, so as to remove the 'reasonable expectation of privacy' that would normally be afforded private Internet communications, whether using company networks / equipment or not.

As far as doing this across national borders, I agree there be legal dragons. Especially if they are doing it in the US to employees in a jurisdiction that protects employees more.

I wouldn't try to circumvent it, just use personal devices for personal use.

I did also mention to them how, once you have that certificate, it can be quite trival to fake other websites on the inside of the network.

You need the key, not the certificate, unless it's a wildcard certificate (which these systems usually do not use, they generate a new certificate for each domain they MITM, signed by the trusted CA). I believe that top-level (* or *.com) wildcard certificates are also not accepted by browsers for this reason.

I believe this whole thing happened to HP or Lenovo.

There have been a couple cases where the trusted key has been accidentally/negligently shipped with the machines, and can then be extracted to sign certificates that other such machines will trust. You do need the key though, the certificate itself is not sufficient for arbitrary MITM. Installing trusted CA certificates at all by an OEM is something I'd consider borderline negligent to begin with, though. There is a public PKI they can utilize for their services, and any host-internal services can either be plaintext or use individually generated trusted *host* certifcates, not CAs.

[c64]

This is probably just some kind of antivirus - all traffic is intercepted and scanned for viruses. Some sites are trusted and not intercepted (banks for example). Check your job agreement - I'm sure they say internet is only for work.

I would never log in to my banking from work computer (= not your own)

[paulca]

This is probably just some kind of antivirus - all traffic is intercepted and scanned for viruses. Some sites are trusted and not intercepted (banks for example). Check your job agreement - I'm sure they say internet is only for work.

I would never log in to my banking from work computer (= not your own)

i know what the software is, I'm just not mentioning it, as it's "one more dot" to join up to get the reality picture of where or whom I work for.

On the logging in.  I am required to provide some bank account statements and even crypto balances, legally required.  So the easiest way is to log in from the work machine and get them, rather than emailing them through all the filters and having the attachments removed.

In my last role a college called me to chat.  He had accidentally traded in a narrow fund which trigger red flags and he got audited.  In the meeting he provided them with the PDF statements.  They asked for CSV and he told them his brokerage did not give out download CSV statements.  They asked him to login to his online bank on the screenshare so they could check if CSV download was available.

I stopped him in his tracks and said, "At that point you politely tell them the call is over.  You hang up and you immedaitely email the security officer and report these people.  It is NOT okay to ask someone to screen share their online banking, it is a serious security violation with legal implications.

Of course he made no fuss and just rolled over and did it.  I told him he should still report the security breach, but no, he didn't.

[paulca]

This morning they followed up on the phishing email which everyone, including me clicked.

"Why are these numbers so high?", and then the usual speach.

I couldn't hold it in.  So I vented.  I told them why so many people clicked on it.  I told them it was obvious it was not a phishing email, it could not be a phishing email and if they knew how Office365 worked, they'd know that.

I also pointed out that most of the genuine emails in the company contain 3rd party links, have GDPR and data disclosure issues, but we are meant to click those?

i stated if they want their employees to be security savvy they need to start leading by example and showing as much diligence and concern for employee data and not "Privacy policy by proxy" them continuously.

"if I published company or customer data onto a 3rd party website, there would be hell to pay.  Show me the same respect."

hopefully i'm not unemployed tomorrow.

[golden_labels]

Starting from the purely technical part: it is incorrect. TLS may identify the client machine, but this is not mandatory. In the case of browsers it’s extremely rare to see it happen, if a browser even implements the feature it’s buried deep in configuration and not intuitive to most people, and so far I heard of no single banking service even offering such an option. For encryption to work it’s sufficient one endpoint is authenticated. Usually this is the web server. Therefore in practice, in the context presented, TLS does not do what you described. From technical standpoint TLS is irrelevant to proving who sent a web request.

From the legal perspective the TLS connection being MitM-ed creates one more factor to consider. That factor may work both ways, depending on the local law and culture. On one hand it works strongly in your favor by providing plausible deniability. On the other hand it indicates you provided the access to a third party. On the third, small hand growing on the side: most people not having technical knowledge to understand this offers a sufficient excuse. We could cover our body with fractal hands going this rabbit hole, so let me stop here and consider only these three.

Even if that wasn’t enough, pay very close attention to what I wrote: “TLS may identify the client machine”. Under an assumption, that the server would authenticate the client, it would be the endpoint, not the person operating it. Since the endpoint is already under the control of your employer, MitM-ing the connection does not create a new breach. If a thief owns a warehouse in which you keep your stuff and has spare keys to it, it’s hardly important they can also paint a van to look like one you trust.

⁂

I do not know, how DPA is interpreted in the scenario of an employer obtaining personal data this way and processing it. Under GDPR the employer would not have any right to process personal data obtained this way beyond securing their systems. And while security purposes neither require consent nor can be easily challenged, everything else still applies.

⁂

Finally, the philosophical part. Employers breaching privacy of employees is a broad topic and boundaries are fuzzy. I myself certainly stand towards the privacy end of the scale. There is a lot of abuse. But that doesn’t mean I can wave the privacy flag in all scenarios.

In this case the key piece of information is: this is employer’s hardware and it is provided as the means to perform your work. If I gave somebody a truck to deliver goods to the client and the fleet has tracking system to reduce the impact of theft, the person decides to drive to lover’s home for an hour and I can see it in the logs: do I really invade their privacy? I believe we agree: not only the worker shouldn’t expect privacy if using employer’s car this way, they should have fuel, amortization and insurance costs proportionally deduced from their wage. I do not see, how a work computer provided by the employer is different. Companies usually turn their blind eye towards such situations and I do not mean to criticize the behavior per se! But that should not be changing interpretation of the very nature of these actions.

While debating privacy, we must not forget that it’s not only worker’s privacy only. The organization processes private information of their customers and other people. This information must also be protected and the company should deploy appropriate security measures. Scanning contents of company’s own traffic is one of the tools available. I may have mixed feelings about this particular method (TLS MitM), but it does not change the general idea and its implications for employees’ privacy. Equally, I am not trying to say $your_company is not abusing customers’ data. That specific company may and likely is, but in the general case a perfectly honest and privacy respecting company would still have to do the same.

⁂

A thing worth noting is: this kind of MitM-ing is problematic from security perspective. It is very easy to screw up, opening a critical vulnerability instead of aiding protection. If the proxy is on the target machine, the private key is stored on that machine too. If the adversary gets hold of that key, they can attack connections to this machine. Even worse if poor deployment leads to the same key being shared across multiple machines (yes, this does happen). If the proxy is external, the risk is lowered. But this creates a single point of failure and this point is weak compared to the normal CA system.

[audiotubes]

I am working with a company who use an end point security gizmo which basically proxies and firewalls all traffic, routing internal stuff based on auth and the controversial part, man in the middle attacking all HTTPS traffic with fake CA certs.

For example.  If you open google.com and search for something, you see the padlock and the browser reports this as a "Your connection is secure."

The hell it is!  If you actually look at the certificate it's signed by some random, self generated CA cert.  Applications with their own HTTPS clients like IDEs and Java apps have to have this fake CA cert injected.

So this end point decrypts your traffic using a man in the middle attack, analyses or does whatever it chooses with it.... then re-encrypts it and forwards back and forth.

There are several legal aspects to this which could get fairly snarly.  However the general premise is... it's their equipment and their network, they get to do whatever they want with it.  That includes spying on traffic.

Sounds like we work for the same company. We can only work from company laptops which had last time I looked, 7 pieces of spyware that I could spot without looking hard. That is only the locally installed spyware, it doesn't include firewall antics, phishing tests etc.

I work for a very large company and the IT department is the worst (dumbest) I have ever seen. It's hard to know where the policies come from but the sad fact is that these companies have to make some obvious attempts to stop their resources from being used for things that could bring bad publicity to the company or illegal activities that could lead to costly litigation, etc.

Maybe you wrote it but I may have missed it since it's late and I'm tired, but given it's their machine I use it accordingly.  If you're using your own machine and have to be subjected to this, I would demand a company laptop etc. and use that only for business and do your personal stuff on your own machine.

I use my company email from the work machine for all business and business-related activities. I don't sign on to any personal websites or buy anything non-business related using that machine.

[paulca]

TLS et. al asides.

The issue as I have boiled it down now, sans emotion, is one of "Privacy policy by proxy".

A company wants to provide a service to their employees.  Say a "How you feeling?" survey.  Again, putting the anonymity aspects aside (form my particular case), the company still chooses to use an external 3rd party provider of that service.

This is massively common.  External providers are used for training and most of HR systems! External providers are used for email and even infrastructure these days.  The company holds only the infrastructure to supply Wifi, LAN and security/access in the office building.  I don't even think there is a server room, if it isn't a tiny cupboard somewhere.  It's entirely cloud run/based.

Spinning back a good few years and a highlight on how this can be done "better".

The company switched from a privately hosted email server (on the cloud), to Office365.  All employee accounts and email got migrated to Office365.  On transfer day for my department, we all logged into office365, did the final binding the laptops etc. 

Office365 sends you an invite.  You click it to begin the process.  Now, straight up that is a 3rd party email with a link in it that you didn't ask for.  So you would need to have prior knowledge it was coming to not just delete it.  Moving on, when you click it, Office365 onboards "you" the individual.  It presents the individuals terms and conditions and privacy policy and it is up to ME if I choose to accept it or not.  This is critically important.  It is ME whom accepts the privacy policy components which related to my data.  Not my company.

I did raise the honest question, "What if I refuse the privacy policy?"

My manager pondered this and said, "Well, you wouldn't have email and you probably wouldn't be able to log into your work laptop by next week, so it would make you a bit difficult to place."

Basically, your choice is, accept the privacy policy or ...  resign.  This is not "privacy policy by proxy", this is "privacy policy extorsion".

But since then I have accounts with about half a dozen HR related 3rd parties, half a dozen IaaS providers, a dozen custoemrs and all their 3rd party training and compliance apps.

Some of the items we are talking about are not items such as "Name of my first pet.", some of them include my personal savings and the savings of my daughter.  Full transaction and cash statements.  Others might include a 25 question questionaire around my sexual orientation, identification and gender etc. etc.  (This one I did refuse and will continue to do so, no matter how much they beg and the DO BEG.)

Most of these services however, it is NOT the employee whom is invited to create the account or register into it.  Instead the company uploads the full employee CSV file and creates accounts en-mass for employees.  Employees then get emailed with whatever campaign or feature they require you to fill in.  It is THESE where the issue lies for me mostly.  I haven't even seen the privacy policy for these websites and in the ones I have looked "I personally would not have accepted that policy, because it's full of amber and red flags.  I personally would have rejected it.  By accepting it on my behave, in my view, the company takes 100% responsibility for that data breach from my personal space."

I am tempted to, for example, without upsetting the apple cart too much, to do a bit of research here.

Lets say I start by submitting a subject access request to all these 3rd parties directly.  The PII in question is Full Name, Company, Location, Role.  If you put those into google you find me, 1st entry.  I can prove I am that person, so I can gain subject access to it.  The "Company" can object, and if they do, they will do it in court.  Once I have that full dataset which is the "Minimum data footprint" resulting from the companies activities....   anything I find in there that is wrong or discriminatory I have grounds for damages.

Then there is the lack of "Duty of care."  Under GDPR when they transfer employee information for business needs all the checks and balances and protections offered by GDPR has to be taken to an extent the company believes the organisation they are transfering the data to, is in fact GDPR compliant.  (there are loop holes).

My data is being freely handed out by my company to organisations in the USA, Canada and Asia.  When I have inquired in the past nobody, including the companies GDPR compliance officer wanted to touch it with a 10 foot pole.  However, my savings accounts, transactions, passport, criminal history, barring checks, and employment history are freely distributed to and by our US clients.

(Appologies as I mix "my company/employer" with the company I actually work for and it's probably not clear.  my employer is UK based, my employment contract is UK based, my rights are UK based.  Most of the companies I work for are "international".

A few other things off the top of my head...

Having to provide a customer with your personal email address, and/or, mobile phone number.  In some cases they absolutely insist it's personal.
In some cases these are used to send umpteen factor authentication fragments for first login.  In others they are just nosey and want direct access to the individual thus to avoid any contractual work hours hurdles.

Having to install mobile applications on my personal phone.  In most of these cases you are required to disable the Android security protections, add a third party app source, then disable more security to allow installation of the APK file from their app repo.  Once installed it asks for everything from Access to Contacts, Access to make calls, Access to camera and microphone.  Now it does include an internal Zoom client, which might explain those, but you have to accept ALL of them to be able to use the app, just to get the MFA token generator.

Having customers ask for my personal email and phone number on emails with over 100 people in it.  Having ignored it three times, they posted a sterner email containing a list of all the idiots they had scammed so far.  Their full name, personal email address, personal mobile number, city location and work hours.

"THIS!  THIS!  Is why you can't have my personal details you *****ing morons..."
"Save this draft?"... NO.

In fairness the above and the fact it was a screenshot of a wiki page did get noticed and I did not report it.  About 3 weeks later the entire Wiki system now has a mandatory "Accept[]" box on EVERY log in with as assertation that you understand that PII and employee nor customer contact information should be stored there. 

[Berni]

Yeah it is a sticky subject.

Id say if the company owns the computer you are given, then they technically can monitor the computer activity in all of these ways, since they own the computer, so they can do with it what they want. But yeah i don't think they should be doing this, even if it is technically allowed.

Id say do anything personal on your own phone. Also use a VPN to safely tunnel your way out of the network if you are using the WiFi or something. It is quite common for large companies to funnel all the network traffic trough one centralized "security gate".

As for them disseminating your personal information everywhere, that is indeed shitty. Not sure how legal that is, but you could certainly try applying your GPDR rights to ask all of these places to delete your personal data(No idea how well that works, but i am curious to know)

[JohanH]

It was a big issue a couple of years ago, when they basically started to decrypt all traffic. I contacted union lawyers and they responded that if we take it to court, the company could be in trouble (at least at the time the laws here were quite strict). Nobody cared to take it to court. Nowadays it's watered down, so they don't decrypt traffic to banks, web mail and such. I don't think it's a big deal any more, especially when working from home. I also have the company laptop on its own VLAN (Virtual LAN), separated from my home network.

[paulca]

I also have the company laptop on its own VLAN (Virtual LAN), separated from my home network.

My reason for doing this unfortunately did not emerge until it "happened".

I got breached and hacked by a work laptop.  An Apple laptop.  By "Hacked" I mean that within the first 3 hours of being on my Wifi it knew my address to within a few doors.  (Wifi neighbourhood) It was offerring me access to movies and mp3s in my DLNA services and presenting thumb nails and search suggestion deep into my personal files.

I ran a network trace on it.  I could not get the promisquious traffic, but I could get the broadcast.

iOS was brute force attacking the samba shares.  Repeatedly trying different workgroup, domain and password combinations to register with the workgroup election mechanics.

I don't care if this is legal or not IT DOES NOT HAPPEN on my network.

I spent £250 upgrading hardware to support VLAN'ing because I wanted a wired connection and "Guest wifi" was rubbish.

I never signed up or accepted the Apple Cloud privacy policy or T&C.  Yet Apple have my data.

I even raised this with the IT staff who shrugged.  Again I was considering taking action... but again, my contract would default terminate for taking any letigation against the company or it's customers.

[golden_labels]

Let’s start with an important note. The company does not provide this service to employees. The company “provides the service” to itself. And the “3rd party” and “no 3rd party” distinction is also a false dichotomy. Any company, other than the one in which owners do all the job, uses external 3rd parties: workers. There is this weird perception, that workers are somehow a unity with the company. Which coincides with a common security and trust fallacies repeated over and over again in so many context through the history: putting risks on the exterior, foolishly trusting the interior. I am not saying there is no difference between service providers. There is, but not simply “good-bad”, but in particular properties not mapping to a single linear scale.

What you describe is IMO unrelated to what kind of entity provides the service. If related at all, at best it gives a particular shape to the problem without creating it.

The arrangements made by the company is where the problem lies, supported by the culture we live in. The company should make all agreements by themselves and the employee be given ready to use tools. They do not, because management does not care about such things: both about privacy and about legal details of this kind. But they do not care in either direction. It’s not a sufficient cause by itself. The other, critical part of the equation is the culture.

People. Do. Not. Care. Period. Unlike many decisions made consciously to benefit the company even at the risk of being detrimental to workers, in my experience for this kind of stuff there is no strong drive towards any choice. There is no deliberation, there is no assessment. It’s an almost subconscious move from “we need a solution to X” and “we saw Y offers solution to X” to “let’s use Y”. Privacy is not rejected — it is never noticed as a thing worth consideration. Not in any malicious or otherwise intentional manner, not due to not caring about a particular subgroup of people, but the culture itself not seeing this as relevant. It is usually a mere consequence of the world the general population is building.

[paulca]

Exactly.  It's like having to explain why you want to be private and have privacy.   A lot of people simply do not understand that.  i worked with a guy where this privacy debate came down to me asking if his bathroom door had a lock and if his bedroom had curtains.  Turns out that no, neither, and no he didn't care.

Ben Elton's book, em...  "blind faith."

Pretty much a crap sci-fi distopian future where privacy is not only considered weird but is illegal and everyone must be seen to publish their entire lives or be considered outcasts.  it's crap, the issues are dealt with too bluntly, the humor is a little too dry constantly and almost missable.  Some of the tropes are exhausted far quicker than he lets them go.  / book review.

https://en.wikipedia.org/wiki/Blind_Faith_(novel)

[paulca]

In fact the question itself affords no answer other than...

NONE OF YOUR BUSINESS.